Title

ColdFusion must encrypt cookies. (Cat II impact)

Discussion

Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of session cookies is especially important since an attacker can grab the session id and hijack the already authenticated session. There are several methods to protect cookie data, and one of those methods is to encrypt the cookie. This can only be done if all the hosted sites are SSL/TLS enabled.

Check Content

Within the Administrator Console, navigate to the "Memory Variables" page under the "Server Settings" menu. If "Secure Cookie" is not checked, this is a finding.

Fix Text

Navigate to the "Memory Variables" page under the "Server Settings" menu. Check "Secure Cookie" and select the "Submit Changes" button.

Additional Identifiers

Rule ID: SV-237219r641752_rule

Vulnerability ID: V-237219

Group Title: SRG-APP-000439-AS-000155

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.